W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: HSTS, mixed content, and priming

From: Brian Smith <brian@briansmith.org>
Date: Tue, 25 Aug 2015 00:38:26 -0700
Message-ID: <CAFewVt7yQHbhzz9gwx_P6HdAitBFNykNTtFK0ECk_2L708c_oQ@mail.gmail.com>
To: Tanvi Vyas <tvyas@mozilla.com>
Cc: Richard Barnes <rbarnes@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Tanvi Vyas <tvyas@mozilla.com> wrote:

> On Aug 24, 2015, at 11:24 PM, Brian Smith <brian@briansmith.org> wrote:
>
> Neither "priming" nor u-i-r are secure against an active MitM so websites
> cannot rely on them for security. Websites need to use https://
> subresource links to actually be secure.
>
>
> How so?  Neither priming or u-r-i has to make an HTTP request. The browser
> makes an HTTP request only when priming fails.
>

The MitM can block the priming request/response.

Cheers,
Brian
-- 
https://briansmith.org/
Received on Tuesday, 25 August 2015 07:38:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC